CIPP/US Certification Review Flashcards

0.0(0)
Studied by 0 people
call kaiCall Kai
Locked
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/33

flashcard set

Earn XP

Description and Tags

Vocabulary-style practice flashcards covering U.S. privacy laws, enforcement agencies, and information management frameworks based on the September 2025 CIPP/US outline.

Last updated 7:39 PM on 7/8/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai
Chat

No analytics yet

Send a link to your students to track their progress

34 Terms

1
New cards

Penumbra

A legal concept where the Supreme Court recognizes constitutional rights to privacy as being derived from other provisions and protections in law, despite the word 'privacy' not appearing in the U.S. Constitution.

2
New cards

Preemption

The legal principle where a superior government’s laws supersede or override those of a lower authority, such as federal law overriding state Law.

3
New cards

Deceptive Trade Practices

A practice involving a material statement or omission that is likely to mislead consumers acting reasonably under the circumstances, enforced by the FTCFTC.

4
New cards

Unfair Trade Practices

Practices that cause or are likely to cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or competition.

5
New cards

Consent Decree

A legal agreement where a company does not admit fault but promises to change its practices, often requiring external audits and specific remedies to avoid further litigation.

6
New cards

Data Inventory

The process of identifying what Personally Identifiable Information (PIIPII) an organization has, where it is stored, how it is processed, and how it is transmitted.

7
New cards

Privacy Lifecycle: Assess

The first phase of the privacy operational lifecycle which involves identifying the privacy program's current state and evaluating risks.

8
New cards

Dark Pattern

A user interface designed to manipulate or coerce users into making choices that they might not otherwise make, often by providing no real choice in sharing personal information.

9
New cards

Ransomware

Malware that encrypts a system and its data, demanding payment for decryption and sometimes threatening the public disclosure of PIIPII.

10
New cards

FACTA Disposal Rule

A rule requiring anyone using consumer reports to dispose of such information in a way that prevents unauthorized access, such as burning, shredding, or destroying electronic data.

11
New cards

Privacy Notice

An external-facing document for customers explaining how an organization collects, uses, shares, and retains Personally Identifiable Information (PIIPII).

12
New cards

Data Processing Agreement (DPADPA)

A contract specifying how a third-party vendor will handle PIIPII on behalf of an organization, including adherence to laws and response protocols for data requests.

13
New cards

Binding Corporate Rules (BCRsBCRs)

A safeguard allowing multinational companies to transfer personal data between different countries after obtaining certification from a Data Protection Authority (DPADPA).

14
New cards

Standard Contractual Clauses (SCCsSCCs)

The most common legal basis for transferring personal data from the EUEU to the USUS, where a company agrees to comply with EUEU law and be supervised by a DPADPA.

15
New cards

Controller

Under GDPRGDPR, the entity that determines the business objectives and means of data processing, carrying more legal responsibility than the processor.

16
New cards

HIPAA Covered Entity

Entities subject to HIPAAHIPAA regulations, including healthcare providers, insurance companies, and their business associates.

17
New cards

Information Blocking

A practice prohibited by the 21st21\text{st} Century Cures Act where healthcare entities interfere with the access, exchange, or use of electronic health information.

18
New cards

Consumer Reporting Agency (CRACRA)

An entity, such as Equifax, Experian, or TransUnion, that furnishes consumer reports used to establish eligibility for credit, insurance, or employment.

19
New cards

Permissible Purpose

A specific legal reason defined under FCRAFCRA (such as a court order or consumer request) required for a CRACRA to furnish a consumer report.

20
New cards

Red Flags Rule

A requirement under FACTAFACTA for financial entities to maintain a written program to detect and respond to patterns or activities that indicate identity theft.

21
New cards

GLBA Safeguards Rule

A regulation requiring financial institutions to maintain a security program with administrative, technical, and physical safeguards to protect customer information.

22
New cards

Divestiture

A transaction where a company sells off a part of its business, necessitating a 'data clean room' for due diligence and new notices of consent as a new controller takes over.

23
New cards

Educational Record

Under FERPAFERPA, all records (K-1212 through university) maintained by a school, including grades and financial aid, but excluding alumni and campus police records.

24
New cards

Telemarketing Sales Rule (TSRTSR)

An FTCFTC rule requiring telemarketers to disclose self-identification, prohibit abandoned calls, and adhere to calling hours between 88 am and 99 pm.

25
New cards

Customer Proprietary Network Information (CPNICPNI)

Detailed data collected by telecommunications carriers (call logs, billing info, features) that requires express consent before being shared with third parties.

26
New cards

Video Privacy Protection Act (VPPAVPPA)

A federal law prohibiting 'video tape service providers' from sharing customer personal information without consent, enacted after the disclosure of a Supreme Court nominee's rental records.

27
New cards

Suspicious Activity Report (SARSAR)

A report filed with FinCENFinCEN by financial institutions if they suspect insider fraud, money laundering, or crimes involving amounts of 5k5k or more.

28
New cards

Wiretap Act (Title III)

A law prohibiting the interception of oral or wired (phone) communications, requiring at least one party's consent federally, or all parties' consent in stricter states.

29
New cards

Pen Register

A device or process that records the telephone numbers of outgoing calls, authorized if the information is deemed 'relevant to an ongoing investigation'.

30
New cards

FISA Section 702702

An amendment allowing the government to conduct mass surveillance of non-USUS persons located outside the USUS for up to a year via certification rather than an individual warrant.

31
New cards

GINA

The Genetic Information Nondiscrimination Act, which makes it illegal for employers to gather genetic information or use it for hiring, compensation, or termination decisions.

32
New cards

Cure Period

A specific timeframe, such as 3030 days, granted to an organization to rectify a privacy violation before regulatory penalties are enforced.

33
New cards

BIPA

The Illinois Biometric Information Privacy Act, which requires consent for collecting biometric data and grants individuals a private right of action for violations.

34
New cards

Washington My Health, My Data (MHMD) Act

A 20232023 law intended to protect health data not covered by HIPAAHIPAA, notably prohibiting geofencing within 2000ft2000ft of healthcare facilities for tracking purposes.